03-28-2017 06:30 AM
Hello everyone,
I am currently doing a POC in one of our customer and started configuring ACS however i have some issue in authentication.
here is the scenario:
* i have a reacheability from switch to ISE server.
* no i am geeting access denied and i don't see any hits in my ISE logs.
* From firewall: port 49 is open.
here is the sample switch config;
aaa new-model
tacacs server ISE
address ipv4 10.10.x.x
key cisco
aaa group server tacacs+ ISE_GROUP
server name ISE
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization config-commands
aaa accounting exec default start-stop group ISE_GROUP
aaa accounting commands 1 default start-stop group ISE_GROUP
aaa accounting commands 15 default start-stop group ISE_GROUP
line vty 0 4
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA
line vty 5 15
authorization commands 0 AAA
authorization commands 1 AAA
authorization commands 15 AAA
authorization exec AAA
login authentication AAA
Testing:
Router#test aaa group tacacs+ manny password legacy (this username is from the ISE databaase)
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
I have used this procedures to configure my ISE servers;
Please advise if there is a missing configuration in the switch.
Solved! Go to Solution.
04-02-2017 03:43 AM
It's working now, i found out the i have issue with my device management license, so after applying it, it worked perfectly. Thanks folks.
03-28-2017 07:01 AM
did you verified the the tacacs services are running on the ise?
i receive this error if either the tacacs service is down or the ise isn't aware of the nad and isn't responding.
But you'll see a log entry on the ise if the nad isn't configured
03-28-2017 10:21 AM
Thanks Oliver for the response, however the Enable Device Admin Service has been selected and it was running from the beginning.
Please note also that I haven't received any logs from ISE.
03-28-2017 10:48 AM
did you fired some debug commands on the switch to see what it does also did you checked the ise application logs?
03-28-2017 10:59 AM
Yes, I did some debug for aaa and authentication, but what i've got is only access denied.
03-28-2017 01:15 PM
Try debug tacacs on the device to see what's going on. If the device has multiple IP addresses make sure the correct one is configured in ISE.
03-29-2017 12:16 AM
Here is the debug output for tacacs authentication and aaa autentication.
QYS-GFC-SW#debug tacacs authentication
TACACS+ authentication debugging is on
QYS-GFC-SW#debug aaa authe
QYS-GFC-SW#debug aaa authentication
AAA Authentication debugging is on
QYS-GFC-SW#terminal monitor
QYS-GFC-SW#terminal monitor
QYS-GFC-SW#
46w2d: AAA/MEMORY: free_user (0x5093FE0) user='cisco' ruser='QYS-GFC-SW' port='tty1' rem_addr='10.10.45. 25' authen_type=ASCII service=NONE priv=15
46w2d: AAA/BIND(000000ED): Bind i/f
46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'
46w2d: TPLUS: Queuing AAA Authentication request 237 for processing
46w2d: TPLUS: processing authentication start request id 237
46w2d: TPLUS: Authentication start packet created for 237(manny)
46w2d: TPLUS: Using server 10.10.201.35
46w2d: TPLUS(000000ED)/0/NB_WAIT/4FC8790: Started 5 sec timeout
46w2d: TPLUS(000000ED)/0/NB_WAIT/4FC8790: timed out
46w2d: TPLUS: Choosing next server 10.10.201.35
46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: Started 5 sec timeout
46w2d: TPLUS(000000ED)/4FC8790: releasing old socket 0
46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: timed out
46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: timed out, clean up
46w2d: TPLUS(000000ED)/1/4FC8790: Processing the reply packet
46w2d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: manny] [Source: 10.10.45.25] [localport: 22] [Reas on: Login Authentication Failed] at 01:40:40 UTC Thu Jan 20 1994
46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'
46w2d: TPLUS: Queuing AAA Authentication request 237 for processing
46w2d: TPLUS: processing authentication start request id 237
46w2d: TPLUS: Authentication start packet created for 237(manny)
46w2d: TPLUS: Using server 10.10.201.35
46w2d: TPLUS(000000ED)/0/NB_WAIT/5017030: Started 5 sec timeout
46w2d: TPLUS(000000ED)/0/NB_WAIT/5017030: timed out
46w2d: TPLUS: Choosing next server 10.10.201.35
46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: Started 5 sec timeout
46w2d: TPLUS(000000ED)/5017030: releasing old socket 0
46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: timed out
46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: timed out, clean up
46w2d: TPLUS(000000ED)/1/5017030: Processing the reply packet
46w2d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: manny] [Source: 10.10.45.25] [localport: 22] [Reason: Login Authentication Failed] at 01:41:07 UTC Thu Jan 20 1994
46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'
46w2d: TPLUS: Queuing AAA Authentication request 237 for processing
46w2d: TPLUS: processing authentication start request id 237
46w2d: TPLUS: Authentication start packet created for 237(manny)
46w2d: TPLUS: Using server 10.10.201.35
46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: Started 5 sec timeout
46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: timed out
46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: timed out, clean up
46w2d: TPLUS(000000ED)/0/4ED4574: Processing the reply packet
03-29-2017 12:20 AM
Additional Information (Tacacs Server's IP is Correct)
QYS-GFC-SW#show tacacs
Tacacs+ Server - public : 10.10.201.35/49
Socket opens: 62
Socket closes: 62
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 58
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - private : 10.10.201.35/49
Socket opens: 52
Socket closes: 52
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 40
Total Packets Sent: 0
Total Packets Recv: 0
03-30-2017 10:45 AM
So, this is what I use for TACACS+, we are a smaller install, so don't use groups.
This is my switch commands.
tacacs-server host <IP_Sever1> key <VARIABLE>
tacacs-server host <IP_Sever2> key <VARIABLE>
tacacs-server directed-request
tacacs-server administration
radius-server dead-criteria time 5 tries 2
radius-server deadtime 2
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
ISE settings are basically default.
03-30-2017 03:33 PM
I would suggest to try a wireshark/TCPDUMP capture between ISE PSN and the switch. Also, enable DEBUG on ISE component AAA-runtime and check prrt-server.log.
04-02-2017 03:43 AM
It's working now, i found out the i have issue with my device management license, so after applying it, it worked perfectly. Thanks folks.
05-09-2018 01:39 PM
Hi Manny,
I am not sure if you tested the redundancy scenario but I am getting the same error message even though licenses (base + tacacs) are properly installed on each ISE. My situation is the following:
Using an INTEGRATED DEPLOYMENT with 2 ISE Nodes. One of them is Primary PAN, Sec MNT and PSN. The other one is Sec PAN, Primary MNT and PSN.
I am not using AAA Groups for tacacs on the LAN Switch. I was testing the redundancy scenario on which Secondary PSN/Primary MNT was completely shutdown (halt command from cli). The Primary PAN/PSN did not work so I decided to test each node individually from the LAN Switch. I mean:
When the only entry in the LAN switch is the Primary MNT/PSN, I get the following and tacacs authc worked.
SW#test aaa group tacacs+ test testing legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
Then, I removed the IP entry for the Primary MNT/PSN in the switch and replaced it by the PRIMARY PAN/PSN but it failed and I got this.
SW#test aaa group tacacs+ test testing legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
Have you seen this?
thanks
05-09-2018 02:32 PM
Please try what I suggested. Use TCPDUMP to check whether the T+ requests are sending out and received by the ISE PSN. Then, use ISE live log and runtime DEBUG to debug further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide